How good a shield is Privacy Shield?

Privacy Shield was put in place in 2016 to ensure that transfers of personal data from the EU to the US would be in compliance with European Union privacy law, and thus permissible. The institutional framework of Privacy Shield was weak, and depended on the good will of the US administration. Recent actions by the new administration, including the famous executive order forbidding residents from 7 predominantly Muslim countries to enter the US, may have (presumably unintended) effects on Privacy Shield. To preserve the validity of Privacy Shield in European Courts, strong EU-US cooperation and potentially additional agreements may become necessary.

The transfer of personal data among developed nations is of vital commercial importance.

Under the EU Data Protection Directive, transfers of personal data to a third country are permissible only if the third country in question ensures an adequate level of data protection. The European Commission certified the United States to be compliant in its Safe Harbour decision of 2000, thus permitting data transfers.

The decision of the European Court of Justice (ECJ) in the Schrems case in 2015 invalidated the Safe Harbour framework that had been in effect since 2000. The Privacy Shield measures that were subsequently taken to re-enable data transfers were institutionally weak, and poorly understood by European policymakers. Their successful implementation depended on the good will of the US administration. With a new administration in place in Washington, the Privacy Shield agreement is now under threat.

Background

The Schrems decision was primarily the result of ECJ concerns that the privacy rights of Europeans could not properly be protected in the face of the widespread surveillance conducted in the US under the George W. Bush administration and subsequently under the Obama administration. The EU and the US successfully negotiated a new framework, Privacy Shield, in 2016 to ensure the uninterrupted flow of data, subject to suitable protections of personal privacy.

Privacy Shield has been broadly welcomed on both sides of the Atlantic; however, there are questions about its viability and effectiveness, not only in the future, but also in the present.

Key concerns include:

We begin by distinguishing among different aspects of privacy protection, and then consider each of these aspects in turn.Privacy Shield merely described then-current US presidential guidance. As regards the concerns raised in the Schrems case, no commitments were made going forward. Neither the Commission nor the Parliament appears to have noticed this.

Key portions of Privacy Shield are letters from one US department (for instance, the Office of the Director of National Intelligence (ODNI)) to another (the Department of Commerce). Again, these letters merely describe existing US practice – they make no commitments going forward. US courts will not interpret these letters as binding commitments to a foreign government on the future conduct of the United States.See also Gary Clyde Hufbauer and Euijin Jung (2016), The US-EU Privacy Shield Pact: A Work in Progress, PB 16-12, page 3, which independently arrives at similar conclusions. “The letters from the Director of National Intelligence (Annex VI) and the Assistant Attorney General for the Criminal Division of the Department of Justice (Annex VII) are addressed to second-tier officials in the Department of Commerce, not to the European Commission. Accordingly, their standing as executive agreements appears slight or nonexistent. For the most part these letters simply recite existing legislation and procedures.”

With minor exceptions, Privacy Shield was created under the executive authority of one US president, which means that it can be amended or revoked under the authority of another president (which to some extent has already been the case).

Distinct aspects of privacy are often conflated

In discussing the protection of consumer privacy, three different aspects are often conflated:

Protection of consumer privacy in the face of the interests of commercial firms.

Protection of privacy in the face of the interest of government law enforcement.

Protection of privacy in the face of government surveillance in the interest of national security.

Law enforcement authorities are under pressure to adhere to national legislative frameworks, since the results of any surveillance may need to be disclosed to a judge. If surveillance was improperly conducted, a judge might refuse to accept the evidence.

National security authorities are not subject to equivalent pressure. Unless a whistle-blower such as Snowden emerges, the results of their surveillance will never become public. Intelligence services are not subject to significant external pressure to adhere to applicable law; consequently, the degree to which internal governance is effective is crucial.

The Schrems verdict was based on concerns over government surveillance in the interest of national security. Privacy Shield deals primarily with commercial privacy, and thus is largely irrelevant to the concerns raised in Schrems.

Protection of consumer privacy from abuse by firms

Relative to measures taken by US firms to protect the consumer privacy of Europeans, the Privacy Shield programme creates a self-certification managed by the US Department of Commerce. A US firm can choose to self-certify compliance with obligations that roughly correspond to European privacy obligations. Failure to comply with the commitments that a firm has made could make it subject to sanctions for unfair or deceptive practices by the Federal Trade Commission (FTC) or, where relevant, by the Department of Commerce or Department of Transportation.

These provisions have broad support from US business, and are likely to remain in place.

Protection of consumer privacy from abuse by the US government

Privacy Shield does surprisingly little to address to the European concerns over US mass surveillance that were raised in the Schrems decision problem it was ostensibly created to solve.

In announcing the Adequacy Decision that represented acceptance of the US government’s undertakings comprising Privacy Shield, the Commission proudly trumpeted numerous claims that turn out, on closer examination to be either misleading or outright false:

Clear safeguards and transparency obligations on U.S. government access

The US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Everyone in the EU will, also for the first time, benefit from redress mechanisms in this area.

Did the US in fact provide such assurances? Are the assurances effective? Are redress mechanisms meaningful and enforceable?

Few assurances were provided as regards intelligence surveillance

The package of documents encompassing Privacy Shield includes two letters to the US Department of Commerce signed by senior officials of the Office of the Director of National Intelligence (ODNI) and one letter to the US Department of Commerce signed by a senior official of the Department of Justice, Criminal Division.

The letter from the Department of Justice notes that law enforcement and regulatory activities in the United States must conform to US law, and that judicial appeal is possible. This is well and good, but the concerns raised in Schrems relate primarily to data gathering for national security purposes, not to data gathering for law enforcement purposes.

The first letter from the ODNI seeks to explain “principles and requirements that apply to all U.S. signals intelligence activities and for all people, regardless of nationality of location”, relying on US Presidential Policy Directive 28 (PPD-28) of 17 January 2014.

PPD-28 is not law, but it has the force of law. The letter, however, appears to have merely been reporting on current arrangements, not creating new ones. US courts are unlikely to view a letter from one US agency to another under these circumstances as conferring new rights on Europeans that were not already manifest in US law or Executive Orders.

In its Adequacy Decision, the Commission states that PPD-28 “has binding force for U.S. intelligence authorities and remains effective upon change in the U.S. Administration.” It is true that PPD-28 remains in effect until it is no longer in effect, but a new President can revoke or amend PPD-28 with a stroke of the pen.

Little real possibility for Europeans to seek redress

Much has been made of the US Judicial Redress Act of 2016, which was intended to enable EU nationals to file suit in US courts to “under the Privacy Act of 1974 against certain U.S. government agencies for purposes of accessing, amending, or redressing unlawful disclosures of records transferred from a foreign country to the United States”.

The Judicial Redress Act enables suit under only one specific Section of the Privacy Act of 1974 – U.S.C. title 5, section 552a(g)(1) – and only under quite narrow circumstances; moreover, law enforcement and national intelligence would tend to be excluded from the scope of the relevant provisions (see for instance U.S.C. title 5, section 552a(j)). The Judicial Redress Act is thus, once again, largely irrelevant to the surveillance concerns raised in Schrems.

Meaningful redress would have to be implemented under the CALEA or FISA acts (for law enforcement or foreign intelligence, respectively). The previously cited letters from the ODNI claim that this is already possible. Be this as it may, it should be remembered that under the vagaries of US law, these provisions are barely usable by US persons. First, the US government under both the George W. Bush and the Obama administrations has raised numerous roadblocks to suits using an evidentiary privilege known as the state secrets privilege.

Second, it can be difficult to establish that one is an aggrieved party – in the case of national intelligence, the agencies go to great lengths to ensure that the parties do not know that they are subject to surveillance. This can lead to truly bizarre consequences. In the decision of Al-Haramain Islamic Foundation v. Barack H. OBAMA (690 F.3d 1089 (2012)), for instance, the court notes that Al-Haramain Islamic Foundation and its lawyers “claimed that they were subject to warrantless electronic surveillance in 2004 in violation of the Foreign Intelligence Surveillance Act.” 507 F.3d at 1193. At the core of the allegations stood “a classified `Top Secret’ document (the `Sealed Document’) that the government inadvertently gave to [the Al-Haramain organization] in 2004 during a proceeding to freeze the organization’s assets.” We held that the suit itself was not precluded by the state secrets privilege, although the privilege protected the Sealed Document. … Without the Sealed Document, the Al-Haramain organization could not establish that it suffered injury-in-fact and therefore did not have standing to bring suit.”

A recent blog by law firm Hunton & Williams rightly notes that the Judicial Redress Act remains in effect despite the new Executive Order. It goes on to argue, wrongly in our view for the reasons noted above, that as a result of the Judicial Redress Act remaining in force, “absent further action from the U.S. government, we do not expect this Executive Order to impact the legal viability of the Privacy Shield Framework.”

Finally, the US government is apt to change the playing board if they do not like the way that the game is going, as they did when they provided retroactive immunity (with the FISA Amendments Act of 2008) to telecommunications providers that might have violated under colour of law the previous FISA legislation.

Even if redress were fully effective, which it is clearly not in this case, redress as regards surveillance measures should be understood to be at best a limited tool for spot checking compliance. Redress cannot be a substitute for a system of surveillance that is measured and proportionate in the first place.

On a more positive note, Privacy Shield does provide for an Ombudsperson within the US Department of State (their foreign ministry) who can address complaints over suspected violations of the privacy of Europeans. As the European Commission has explained, “The Privacy Shield Ombudsperson is a senior official within the U.S. Department of State who is independent from U.S. intelligence agencies. Assisted by a number of staff, the Ombudsperson will ensure that complaints are properly investigated and addressed in a timely manner, and that you receive confirmation that the relevant U.S. laws have been complied with or, if the laws have been violated, the situation has been remedied. In carrying out its duties, and following up on the complaints received, the Ombudsperson will work closely with and obtain all the information from other independent oversight and investigatory bodies necessary for its response when it concerns the compatibility of surveillance with U.S. law. These bodies are the ones responsible to oversee the various U.S. intelligence agencies.”

Among the letters provided by the US government is a statement by Secretary of State John Kerry in which he names a specific Undersecretary of State as a point of contact for foreign governments that wish to raise concerns about signal intelligence activities. This is a promising mechanism, but its effectiveness will clearly depend on (1) adequate resourcing for the office of the Ombudsperson, (2) independence from the intelligence community, and (3) good faith on the part of the US President, inasmuch as both the office of the Ombudsperson and the intelligence community report to the President. Even this promising step stops short of creating a formal entity with responsibilities that are committed to remain in place beyond the tenure of the Obama administration.

The Commission overstates this in its Adequacy Decision (op. cit.), at paragraph 65: “By letter signed by the Secretary of State and attached as Annex III to this decision the U.S. government has also committed to create a new oversight mechanism for national security interference, the Privacy Shield Ombudsperson, who is independent from the Intelligence Community.” Article 21 of the so-called “Umbrella Agreement” commits the US to provide for oversight through more than one agency, but is exceedingly vague.

Few commitments made going forward

As already noted, when it comes to surveillance for national security, the US undertakings in Privacy Shield appear only to document current practices (any of which could be changed at the stroke of a pen). There are very few commitments as regards future practice. For that matter, as the Article 29 Working Party (which oversees European privacy arrangements has noted), they document current policy but do not necessarily document current practice).

On a more positive note, the Department of Commerce (Undersecretary for International Trade) made a cautiously worded commitment to make “reasonable efforts” to inform the Commission of relevant “material developments in the law”. How useful this commitment is in practice is unclear, however, since (1) presidential Executive Orders and Presidential Policy Directives (PPDs) have the force of law, but whether they are law is debatable, and (2) since PPDs relate to national security, many of them are classified, non‑public documents.

Under the United States constitution, international agreements can constitute either treaties (which must be ratified by the US Senate) or executiveagreements. The agreements are generally executed under one of several legal bases, such as the overall executive authority of the President. These agreements are not ratified by the Senate.

In US law, it is not entirely clear whether treaties that have been ratified by the Senate can be altered or revoked by the President, without the consent of the Congress; however it is fairly clear that an agreement entered into under the executive authority of one President could be altered or revoked under the executive authority of another.

Privacy Shield was not subjected to ratification. There are letters on file from the US Department of Commerce, Federal Trade Commission, Office of the Director of National Intelligence, Federal Bureau of Investigation, and Department of Transportation, but there is no law (with the exception of the Judicial Redress Act of 2016, which however has limited scope) or ratified treaty that puts Privacy Shield in place.

There is thus no legal, statutory guarantee that Privacy Shield will continue to function as it has.

Trump’s Executive Order “Enhancing Public Safety in the Interior of the United States”

Article 14 of the Executive Order is clearly at odds with the positions taken in PPD-28, and thus with Privacy Shield. “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

It is impossible to square this with PPD-28, which says: “All persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and all persons have legitimate privacy interests in the handling of their personal information.”

It is unlikely that the Trump administration consciously sought to undermine Privacy Shield. It is clear, however, that Privacy Shield could easily suffer “collateral damage” from actions like this.

Risks and concerns going forward

All things considered, even though Privacy Shield was built on shaky foundations, it might have functioned well enough with commitment and good will on both sides of the Atlantic.

Businesses clearly support the substantial portions of Privacy Shield that were put in place to protect consumers against misuse of their data by private firms, and want Privacy Shield to remain in place.

As regards the use of personal data by the US government, especially for purposes of national security, however, the picture is much murkier. In the Schrems case, however, the ECJ made it clear that privacy is a right of Europeans, and cannot be ignored.

If Privacy Shield were to be overturned – for instance, due to suits filed by European privacy activists – there would be unfortunate consequences. The EU-US data transfers that Privacy Shield enables are commercially important, especially to multi-national firms. Policymakers would need to react promptly and effectively. Whether the necessary political will to respond is present today is uncertain.

Republishing and referencing

Bruegel considers itself a public good and takes no institutional standpoint. Anyone is free to republish and/or quote this post without prior consent. Please provide a full reference, clearly stating Bruegel and the relevant author as the source, and include a prominent hyperlink to the original post.